As of April 12th, you must go to Progress SupportLink to create new support cases or to access existing cases. Please, bookmark the SupportLink URL and use the new portal to contact the support team.
Why do COUNT requests not get funneled through the "fetch" hook?
j
jamesw6811
started a topic
about 9 years ago
You mention on your documentation that a "fetch" hook can be used to deny access to a collection, but a COUNT request can still get information about the collection even if access is denied, can't it?
I am restricting access to the collection using business logic, but COUNT does not get filtered through the fetch hook. Isn't this a big security risk? How am I supposed to restrict access correctly using business logic?
E
Edward
said
about 9 years ago
Hey. `Fetch` is another name for a `Get` HTTP request. The `Count` operation is technically an `aggregate`, and does not use the same pipeline as a GetEntity or Get request from the java/android libraries.
I would recommend using access control lists `_acl`, which is a provided GenericJson class you can add to your entities. Take a look at Caroline's post here to get some more info on how to set them up: https://support.kinvey.com/discussion/comment/201904552
C
Caroline
said
about 9 years ago
Hi James, I think this relates back to another [thread](https://support.kinvey.com/discussion/201272251/how-do-i-offer-access-of-a-private-collection-to-another-user "thread"). I'll copy paste the answer here, too.
If you use ACL's instead of restricting through BL, then _count would respect that. The best way to do that is via the REST API. I put up a post about usergroups and permissions here, which may help: https://support.kinvey.com/discussion/comment/201904552
jamesw6811